14 DAY TRIAL // When Mac OS X critical vulnerabilities directly impact Windows, does this qualify as a case of unpremeditated sabotage? Well, not really, because this scenario is reciprocal, to say the least. Microsoft is no stranger to patching vulnerabilities on its Mac products either. In this context, a critical vulnerability in the most advanced operating system in the world also affecting the Windows platform is a simple example of irony. Mac OS X is generally perceived as an operating system that is superior to Windows in a range of aspects, security being simply one of them.
At the end of last week, Dino Dai Zovi, a New York hacker successfully hijacked a MacBook Pro that was set up as a target in a CanSecWest contest with a $10,000 prize. The initial reports pointed out that the hacker had exploited a zero-day vulnerability in Apple's Safari browser. Zovi however, explained that the vulnerability is in fact a Java-based flaw in QuickTime, Mac OS X's default media player.
Security researcher Thomas Ptacek of Matasano Security in NY revealed additional findings about the vulnerability and warned that Windows users are also at risk. "Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on MacOSX (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability. (Irony!)" he stated. "Firefox and Safari are confirmed vectors on MacIntel. Users of both browsers are placed at risk by this vulnerability in Apple's code. Firefox is a presumed vector on Win32, if Apple's QuickTime code is installed. Users of Firefox on Windows are presumed to be at risk because of this vulnerability in Apple's code."
Safari, Firefox and Internet Explorer can all potentially act as attack vectors, but details associated with Mozilla's open source browser and Microsoft's IE have not been confirmed to this point. Theoretically, Windows machines that have the QuickTime plug-in installed are wide opened to attacks, provided the users also run a Java-enable browser. Reports have yet to reveal if Windows Vista is affected by the Mac OS X critical vulnerability in QuickTime.